\begin{slide}{Points-to analysis}
\begin{itemize}
\item Default points-to analysis assumes that any pointer can point to any object
\item Spark provides variations of context-insensitive subset-based
points-to analysis
\begin{itemize}
\item Work in progress on context-sensitive analyses
\end{itemize}
\end{itemize}
\end{slide}

\begin{slide}{Spark settings}
\begin{itemize}
\item \texttt{-p cg.spark on} turns on Spark
\begin{itemize}
\item Spark used for both call graph, and points-to information
\item Default setting is on-the-fly call graph, field-sensitive,
most efficient algorithm and data structures
\end{itemize}
\item \texttt{-p cg.spark vta} Spark as VTA
\item \texttt{-p cg.spark rta} Spark as RTA
\end{itemize}
\end{slide}

\begin{slide}{PointsToAnalysis interface}
\begin{description}
\item
[\texttt{\small reachingObjects(Local)}]
returns {\tt PointsToSet} of objects pointed to by a local variable\\
{\tt x = y}

\item
[\texttt{\small reachingObjects(SootField)}]
returns {\tt PointsToSet} of objects pointed to by a static field\\
{\tt x = C.f}

\item
[\texttt{\small reachingObjects(Local,SootField)}]
returns {\tt PointsToSet} of objects pointed to by given instance field
of the objects pointed to by local variable\\
{\tt x = y.f}
\end{description}
\sablefootnote{soot.PointsToAnalysis}
\end{slide}

\begin{slide}{PointsToSet interface}
\begin{description}
\item [\texttt{\small possibleTypes()}] returns a set of the possible types of the
objects in the points-to set
\item [\texttt{\small hasNonEmptyIntersection(PointsToSet)}] tells us whether
two points-to sets may overlap (whether the pointers may be aliased)
\end{description}
\sablefootnote{soot.PointsToSet}
\end{slide}

\begin{slide}{If I want to know...}
... the types of the receiver o in the call: \texttt{o.m(\ldots)}\\
\hspace{10mm}
\begin{alltt}
Local o;
PointsToAnalysis pa =
     Scene.v().getPointsToAnalysis();
PointsToSet ptset = 
     pa.reachingObjects( o );
java.util.Set types =
     ptset.possibleTypes()
\end{alltt}
\end{slide}

\begin{slide}{If I want to know...}
... whether \texttt{x} and \texttt{y} may be aliases in\\
\texttt{x.f = 5;\\ y.f = 6;\\ z = x.f;}\\
\hspace{10mm}
\begin{alltt}
Local x, y;
PointsToSet xset =
    pa.reachingObjects( x );
PointsToSet yset =
    pa.reachingObjects( y );
if(xset.hasNonEmptyIntersection(yset))
    // they're possibly aliased
\end{alltt}
\end{slide}

\begin{slide}{SideEffectTester interface}
Reports side-effects of any statement, including calls
\begin{description}
\item [\texttt{newMethod(SootMethod)}] tells the side-effect tester that
we are starting a new method
\item [\texttt{unitCanReadFrom(Unit,Value)}]
returns true if the Unit (statement) might read the Value
\item [\texttt{unitCanWriteTo(Unit,Value)}]
returns true if the Unit (statement) might write the Value
\end{description}
\sablefootnote{soot.SideEffectTester}
\end{slide}

\begin{slide}{Implementations of SideEffectTester}
\begin{description}
\item [\texttt{NaiveSideEffectTester}]\ \\
\begin{itemize}
\item is conservative
\item does not use call graph or points-to information
\item does not require whole-program mode
\end{itemize}
\item [\texttt{PASideEffectTester}]\ \\
\begin{itemize}
\item uses current call graph
\item uses current points-to information
\begin{itemize}
\item this may be naive points-to information
\end{itemize}
\end{itemize}
\end{description}
\sablefootnote{soot.jimple.NaiveSideEffectTester\\soot.jimple.toolkits.pointer.PASideEffectTester}
\end{slide}

